An Evaluation of FPGA-based IDS Pattern Matching Techniques Ioannis Sourdis † , Dionisios Pnevmatikatos ‡ , and Stamatis Vassiliadis † †Computer Engineering Laboratory, ‡Microprocessor and Hardware Laboratory, Electrical Engineering Department, Electronic and Computer Engineering Dept., Delft University of Technology, Technical University of Crete, The Netherlands Chania, Greece {Sourdis,Stamatis}@CE.ET.TUDelft.NL Pnevmati@MHL.TUC.GR Tel: +31-15-27-89656 Fax: +31-15-27-84898 Abstract Pattern matching is one of the most computationally intensive tasks in network security systems. Numerous pattern matching approaches have been proposed in the past. The most common ones use: regular expres- sions, discrete comparators or CAM, Pre-decoding, and Hashing to match patterns. The researchers’ first concern was to achieve high operating throughput in order to process incoming packets in wire rates. Since the set of matching patterns increases rapidly, though, pattern matching designers started considering also the area cost of their designs. In this paper, we at- tempt an evaluation of FPGA-based pattern matching techniques for network security systems. We measure the efficiency of pattern matching modules in terms of obtained performance per area cost. Keywords: pattern matching, FPGA, Intrusion Detec- tion Systems, network security 1 Introduction The area of intrusion detection systems is very ac- tive recently. Deep packet inspection is performed by intrusion detection systems (IDS) to provide sufficient protection from attacks[10]. Such systems check the packet header, rely on pattern matching techniques to analyze the packet payload, and make decisions on the significance of the packet body. Matching every incoming byte, though, against thousands of pattern characters at wire rates is a computationally intensive task. Measurements on Snort IDS show that 80% of total processing is spent on string matching in the case of Web-intensive traffic[11]. In the past, numerous hardware units have been pro- posed for FPGA-based IDS pattern matching that can match thousands of patterns in parrallel (tens of thou- sand characters in total)[13, 18, 6, 12, 7, 16, 14, 2, 8, 4, 19, 3, 15, 9, 4, 20]. Generally speaking, the per- formance of FPGA-based systems is promising and shows that FPGAs can support the increasing needs for network security. Utilizing regular expressions, discrete comparators, CAM and hashing are some of the most common techniques for IDS pattern match- ing. We evaluate different IDS pattern matching ap- proaches, including our solutions [19, 18, 20], in terms of performance and area cost and analyze their effi- ciency and the trade-offs that occur. The remainder of the paper is organized as follows: In Section 2 we describe different pattern matching methods. In Section 3, we present detailed implemen- tation results of the best published pattern matching solutions and compare them using a performance ef- ficiency metric. Finally, in Section 4 we present our conclusions. 2 IDS Pattern Matching Methods In this Section we describe different pattern match- ing techniques for intrusion detection implemented in FPGAs. We discuss the characteristics, advantages 449